Thank you!
We will contact you soon to
ask how we can improve our documentation.We appreciate your feedback.

Was this topic helpful?

YesNo

Thank you for your feedback. Can we contact you to ask follow up questions?

*Please enter a valid email address

How can we improve?

*This field is required. Please let us know how we can provide you with better help.

Configure Packet Capture on the ExtraHop Discover Appliance with VMware

This guide describes how to configure the packet capture feature on the EDA 1000v, EDA
2000v, and EDA 6100v virtual ExtraHop Discover appliance with VMware. When packet capture is enabled through the Admin UI on the Discover appliance, you
can write triggers to specify and deploy targeted packet captures from the Discover appliance to a disk drive on your VMware
server.

License packet capture

Ensure that your ExtraHop license has packet capture enabled.

Before you begin

The Discover appliance requires a
product key and a license to configure packet capture. Contact ExtraHop
Support to obtain your product key.

Log into the Admin UI on the Discover appliance .

In the System Settings section, click
License.

In the Features section, verify if Packet
Capture is already enabled.

If packet capture is enabled, proceed to step 7.

If your license does not have packet capture enabled, continue to the
next step.

Click Manage License and then click
Register.

Enter the product key, and then click Register. The
ExtraHop system contacts the license server and validates the product key. After
the product key is validated, the license is downloaded and applied to your
appliance.

Refresh your browser to see the updated license.

Return to the main Admin UI page.

In the System Settings section, click Disks.

The packet capture status displays No Packet Capture
Disk. You will configure the packet capture disk in the next
section.

Configure a packet capture disk in VMware

The following settings are configured through the VMware vSphere Web Client.

From the New device drop-down list, select New
Hard Disk, and then click Add.

Set the size of the disk to 500 GB.

Expand the New Hard disk settings and confirm that
Thick Provision Lazy Zeroed is selected for
Disk Provisioning. The remaining disk settings do not
need to be changed.

Click OK.

Enable the packet capture disk

In the ExtraHop Admin UI, refresh the Disk page. The
packet capture disk should display a status of running and the
size should display 500.0GB. The drive is now allocated for
packet capture.

In the Actions column for the packet capture disk, next to
Triggered Packet Capture, click
Enable.

Click OK to add the packet capture disk.

Configure triggers to define the packet capture

The ExtraHop system gathers custom metrics through Application Inspection Triggers.
These metrics are stored internally and can be accessed by the packet capture feature. The
system will automatically process packet captures encountered in the trigger
script.

For information about writing triggers, see the following documentation:

Assign trigger to devices

After you create a trigger, the trigger must be assigned to one or more devices
before the trigger can begin collecting data.

You also can assign the trigger to a
device group, which assigns the
trigger to each device in the group.

Warning:

Avoid assigning any trigger to
all devices. Running triggers on unnecessary devices exhausts system resources.
Minimize performance impact by assigning a trigger only to the specific devices that
you need to collect data from.

In the ExtraHop Web UI, click Metrics in the top menu,
then click Sources > Devices in the left pane.

Select the checkbox for each device you want to assign the trigger to.

From the Select Action drop-down list, select
Assign to Trigger.

Select the checkbox for the trigger you want to assign to the selected
devices.

Click OK.

The trigger will execute on the selected devices whenever the trigger event
occurs.

View the packet capture results

In the ExtraHop Admin UI, in the Packet Captures section,
click View and Download Packet Captures.

Select a packet capture and then click Download Selected
Captures to download the pcap file to your workstation.

Open the downloaded packet capture in a packet analyzer, such as
Wireshark.